General enquiries :
+44 (0)20 7602 6000
Privacy Notice



CACI understands the importance of being transparent with individuals about how their data is being used, keeping individuals’ personal data secure, lawfully using such personal data and enabling individuals to exercise their privacy rights. EU and UK data protection laws protect individuals when organisations process their personal data, and this is particularly important as newly developed technologies and methods can be a threat to the rights and freedoms of individuals, and in particular, their right to privacy. Also, these laws give increasingly stronger rights to individuals that enable them to have greater control over what organisations do with their personal data. GDPR (General Data Protection Regulation) and the new UK Data Protection Act 2018 (DPA 2018) came into force in May 2018. The DPA 2018 incorporates GDPR and accordingly after the UK leaves the EU (assuming the UK does leave), GDPR will still apply in the UK.

This notice sets out an overview of the personal data that CACI controls, how it is used, and how it is protected. It also contains an overview of individuals’ rights in relation to their personal data and where to go for more information.


Some terminology

B2B: means business to business (e.g. where we send information relating to our business to your work/business email address).

Controller: means anyone (including any company, partnership or government body) that determines how to use the personal data and for what purpose. It is usually the organisation that (a) collected the personal data directly from the data subject or (b) received it from another organisation for its own independent use.

Data subject: means the individual person to whom the personal data relates (i.e. you).

Personal data: means any information that relates to an identified or identifiable living individual.  It can include information which identifies a person (name, address) or factors about their identity (for example, their interests).

Processing: means anything that an organisation does to or with personal data (e.g. collection, storage, use, correction, deletion, access to or transfer of personal data).

Processor: means anyone that processes (e.g. uses, stores or has access to) personal data on behalf of the controller. A processor must not use the personal data it receives for its own independent purposes. 

Who are CACI, and how can you contact us?

CACI Limited is a provider of marketing and information management services to many of the UK’s and world’s leading consumer brands, companies and public-sector organisations. We provide data, software and consultancy services to help our clients market their products and services or manage their information systems more effectively.

We can be contacted as follows:

Compliance Team
CACI Limited
CACI House
Kensington Village
Avonmore Road
London W14 8TS

Tel: 020 7602 6000

CACI has appointed a Data Protection Officer, who can be contacted using the following details:

Data Protection Officer
CACI Limited
CACI House
Kensington Village
Avonmore Road
London W14 8TS

Tel: 020 7602 6000

How do we use personal data?

CACI uses personal data in its business as follows:

(A) Data services: We supply personal data services to our clients, which they use to help them better understand the needs and attributes of their customers and prospective customers. We also supply personal data to organisations that in turn supply that data to their clients. The end purpose is to provide better targeted and relevant direct marketing communications to you. The single largest and most important source of personal data (i.e. name and address data) that CACI buys is the edited Electoral Register data. This data is lawfully collected by local authorities, pursuant to article 6(1)(e) of GDPR, as it is necessary for carrying out their tasks in the public interest or in the exercise of their official authority (as vested in each electoral registration officer under the Representation of the People Act 1983 (as amended) and the associated regulations).  The Representation of the People Act 1983 (as amended) also permits local authorities to sell the name and address data of registered voters, who have not objected, to commercial organisations. Any individual can ask their local authority to remove their personal data from the list that is made commercially available to organisations. CACI buys its copy of the edited Electoral Register from Equifax Limited (to see a copy of their privacy notice go to CACI also buys in other sources of personal data (see Big Table of Information below). The personal data that we buy in is then combined with non-personal data to build classification databases. Also, CACI uses your personal data to create segments, categories, or profiles that are used in our databases, or to provide other data services. Please note that we do not use profiled data to make automated decisions relating to you.

We have two main individual level classification databases, which we call Ocean and Fresco and we have postcode level classification databases, the largest of which we call Acorn. The individual level databases for both OCEAN and Fresco that we create contain personal data and profiled data. For example, our OCEAN database may contain your name, address and profiled attributes/behaviours, such as probability scores as to whether you may have pet insurance and whether you have bought books online in the last 12 months. These probability scores are modelled/predicted scores and are not actual data relating to you; they are created by inputting personal data and non-personal data (e.g. aggregated census data) into an algorithm and then running the computer model to produce probability scores for a wide range of attributes/behaviours. As for our postcode level classification database, Acorn, it contains postcodes and 62 alphanumeric codes, which are modelled/predicted codes (e.g. for a particular postcode the corresponding Acorn code may be 3.H.27; this indicates the postcode relates to “Conformable communities with steady neighbourhoods and with suburban semis, conventional attitudes”). Please note that a given Acorn code will be shared by many different postcodes and is not unique for a given postcode.

(B) Recruitment: When you apply for a job at CACI, are employed by us, or contract with us as a consultant, we will use and store your personal data to enable us to consider your application and/or hire you.

(C) Potential and actual client/supplier B2B contacts: We keep the contact details of people at organisations we do business with in order to maintain cordial relations with them and/or offer, provide or receive the contracted products or services.

(D) B2B marketing: If you are, or we think that the organisation that you work for is or may be interested in our services, we will process your B2B contact details to provide you with information relating to our services.  For more details on how we collect, store and use personal data for our own marketing purposes, click here.

(E) Website browsing: As you browse our website at we will collect data on your IP address (a unique code, which identifies the computer or device you are using), operating system and browser type, and may send cookies to your device to track your progress through our website.  For more details on cookies click here.

Big table of information

You can view details for in the table of information PDF here.

Do we collect your email, phone number data or card/debit card information?

No, except in relation to your email and phone number where (a) you have given it to us or a recruitment agent for recruitment purposes, (b) we have collected it for our B2B marketing services to the organisation that you work for, or (c) you work for one of our clients or suppliers. 

Who do we share your personal data with?

We may share your personal data with our clients and partners, which include the following types of organisations:

  • Advertising agencies
  • Automotive companies
  • Care homes
  • Charities
  • Energy and water suppliers
  • Financial Services, including banks, building societies, insurance companies and credit card providers
  • Health and beauty companies
  • Housing, including private builders and developers and social housing providers
  • Internet companies
  • Leisure groups, including restaurant and pub chains, cinemas, gyms
  • Local and central government
  • Mail order companies
  • Marketing services providers
  • Media companies, including newspaper and magazine publishers and TV companies
  • Packaged goods manufacturers
  • Political parties
  • Professional Advisors who advise us (e.g. lawyers, accountants)
  • Public and private health care providers
  • Public sector organisations
  • Retailers of all types
  • Telecommunications companies
  • Travel and transport, including travel agents, rail and bus operators and airlines
  • Our IT services providers partners (e.g. IT security service providers, hosting providers) 

How long do we keep your personal data for? 

We only retain information for as long as it is required for the purpose(s) for which we legitimately use it, or for longer periods if required for legal and regulatory reasons. When we buy in or license in personal data the period for which we use it can vary depending on the contract terms with the data supplier.

In any event personal data that is out-of-date is of little use for our marketing activities or data services. Accordingly, we delete personal data when it is no longer sufficiently recent to be useful. The exact length of time could differ for different types of personal data and sources. In general terms the personal data in the databases we sell to our clients and partners are refreshed annually, since in most cases we receive annual updates for the personal data lists we use. Also, we check these refreshed lists against any suppressions lists to reduce the chance of you being contacted when you have asked not to be contacted.

We keep copies of our single largest source of personal data, the edited Electoral Register for 6 years. Since Parliamentary elections must be held, at least, every five years it is reasonable to expect that the local authorities will hold and process your data for at least this period. In addition, we receive an extra annual refresh after the five years and so have 6 years’ worth of data at any one time. We often enter into multi-year data services contracts with our clients and use previous copies of the edited Electoral Register for checking names and addresses for our clients.

In relation to your CV, cover letters and other information you provide in response to our recruitment activities, we keep it for up to 6 months from the date of receipt, unless the job advert makes it clear that we keep it for longer, or you otherwise consent to us keeping it for longer. Successful applicants will, on joining us, have access to our internal data retention policy.

Do we send personal data outside of the European Economic Area (EEA)?

We will only send personal data outside of the EEA in accordance with the strict provisions and protections set out in GDPR (e.g. via use of the EU Model Clauses).

We do not transfer your personal data outside of the EEA except, (a) on the rare occasion that our clients and/or partners might ask us to send the personal data to their locations outside of the EEA, or (b) where we use international organisations (e.g. Amazon Web Services) to provide IT and IT security, backup and hosting related services.  From time to time we may use IT service providers in the UK that provide support and maintenance using staff who are located outside of the EEA (e.g. an IT support desk based in India).

Your privacy rights

In relation to your personal data you have the right, e.g. by sending an email or letter to our Compliance Team (using the above contact details) to request us to do any of the following:
  1. Give you access to your personal data, free of charge. This is usually done via a “subject access request”, which simply requires you to contact us and ask for your personal data. We will respond as soon as possible and in any case within 30 days of you providing us with the necessary proof of ID (which we will delete or destroy shortly after sending you our response). To enable us to respond faster to your request it would help if you informed us whether you have ever applied for a job at CACI, or received any emails from us to your work email address and/or post from us to your work address. We are entitled to charge you a reasonable administration fee for additional copies or when your request is excessive.
  2. Correct your personal data if it is incorrect.
  3. Delete your data. This is also known as the “right to be forgotten”. If you request this, we will delete your personal data from our databases (but will keep your details on a suppression list so we know not to provide anyone with your personal data should your data come into our possession and control again (e.g. if we buy in a subsequent copy of the edited Electoral Register containing your details).
  4. Restrict/limit processing (e.g. usage) of your personal data in some circumstances, where you do not like the purpose for which we use it whilst allowing us to use it for other purposes. In practical terms, you may ask us just to delete your personal data.
  5. Object to processing (e.g. usage or storage) of your personal data. Again, in practical terms, you may ask us just to delete your personal data.
  6. Transfer your personal data, in a suitable standard format, to another organisation. 

How to complain

If you are not happy with the way we have responded to you, or with the way we process your personal data, we would like to hear further from you. Please contact our Compliance Team using details provided above.

Also you have the right to complain to the ICO, which you can reach on 0303 123 1113 or at (in particular see ).

IT security

Information security is CACI’s top priority. We maintain and practise a very high level of IT security to protect your personal data and accordingly are certified to the ISO27001 Information Security management standard. Our IT systems are regularly checked to see if they are safe from hackers. To help prevent internal personal data breaches our staff have been given data protection training and relevant staff have also been given IT data security training. We will continue to provide regular privacy and data security training and materials to staff.